On Thursday, February 23, 2012, the Centers for Medicare and Medicaid Services (CMS), pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, released a 455-page Proposed Rule specifying the Stage 2 criteria that eligible professionals (EPs), eligible hospitals and critical access hospitals (CAHs) must meet in order to qualify for Medicare and/or Medicaid incentives related to electronic health records (EHRs).  The Proposed Rule also proposes to modify certain Stage 1 criteria, as well as criteria that apply regardless of Stage, as previously published in the Final Rule on July 28, 2010 in the Federal Register.  The proposed provisions related to Medicaid (calculations of patient volume and hospital eligibility) would take effect shortly after the finalization of the Proposed Rule and would not be subject to the proposed one-year delay for Stage 2 meaningful use of a certified EHR.  The Proposed Rule states that the changes to Stage 1 would take effect for 2013, but that most changes would be optional until 2014.  Last but not least, the Proposed Rule addresses the Medicare payment adjustments that will take place for EPs, eligible hospitals and CAHs who fail to demonstrate a meaningful use of certified EHRs by 2015 and proposed exceptions to such adjustments.

Of immediate interest to privacy and security watchdogs is the Proposed Rule’s proposed Meaningful Use (MU) measure that requires the eligible hospital, EP and CAHs to conduct or review a security risk analysis that specifically includes addressing the encryption/security of data at rest in accordance with specified HIPAA Security Rule regulations, to implement security updates as necessary, and to correct identified security deficiencies as part of the provider’s risk management process.  CMS notes that this MU measure is the same as Stage 1 except that it specifically addresses the encryption/security of data that is stored in the EHR (i.e., data at rest).

CMS states that, due to the number of breach reports involving lost or stolen devices (40 percent of the total large breaches), the Health Information Technology (HIT) Policy Committee recommended that the MU Stage 2 criteria highlight the importance of reviewing encryption practices as part of a Security Rule risk analysis.  CMS states: “Had these devices been encrypted, their data would have been secured.”  (See our post earlier today to the HITECH Law Blog reminding covered entities of the February 29, 2012 data breach report deadline.)

More specifically, the Stage 2 enhancements to the Stage 1 MU standard for a risk assessment will require eligible hospitals, EPs and CAHs to assess either current mechanisms in place, or the implementation of a mechanism, to encrypt and decrypt electronic protected health information (ePHI)(45 CFR 164.312 (a)(2)(iv)), and to assess whether that mechanism is a reasonable and appropriate safeguard in its environment with reference to the likely contribution such mechanism will make towards protecting the entity’s ePHI (45 CFR 164.306(d)(3)).  Where adoption of an encryption mechanism is not reasonable and appropriate, then the entity must adopt an equivalent alternative measure.  CMS noted that this is not a change in the HIPAA requirements, nor does it require any more than HIPAA already requires.

The deadline for public comments to the Proposed Rule is within 60 days after publication in the Federal Register.  As indicated, the Proposed Rule is 455 pages.  We’ll be continuing to review the many proposed and modified criteria in order to report on them here on the HITECH Law Blog.  Stay tuned!